CVE-2024-8953

In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c	Exploit
https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:composio:composio:0.4.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-04-01 20:30

NVD link : CVE-2024-8953

Mitre link : CVE-2024-8953

CVE.ORG link : CVE-2024-8953

JSON object : View

Products Affected

composio

composio

CWE

CWE-627

Dynamic Variable Evaluation

CWE-913

Improper Control of Dynamically-Managed Code Resources

{"id": "CVE-2024-8953", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-03-20T10:15:44.843", "references": [{"url": "https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c", "tags": ["Exploit"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-627"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-913"}]}], "descriptions": [{"lang": "en", "value": "In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function."}, {"lang": "es", "value": "En composiohq/composio versi\u00f3n 0.4.3, el endpoint mathematical_calculator utiliza la funci\u00f3n eval() no segura para realizar operaciones matem\u00e1ticas. Esto puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario si se pasa una entrada no confiable a la funci\u00f3n eval()."}], "lastModified": "2025-04-01T20:30:28.420", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:composio:composio:0.4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17A3924D-B2D4-467A-935A-CF760AA17B7D"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}